Data Loss Prevention

Hi

I'm planning to reduce the exception in my current policies as it is causing heavy load in my Email Prevent File Reader. My current exception is configured in a way where each department has their own exception sender/recipient so the list is quite ig is there anyway for me to reduce the exception?

Regards

hello,

How did you implement your exception :

- Keywords rules in detection exception ?

- User list in Group exception ?

- Sender/Recipient patterns in Group exception ?

- Other....

Are you looking for both values "(list of sender) AND (list or recipient)" or any value "(list of sender) OR (list of recipient)" ?

 Regards.

As each department has their own criteria exception I will try to explain as clear as possible and all is configured in Group exception

- Department A

only requires sender A to recipient B to excempted

- Department B

combination of keywords + sender C and receipient D to be xcempted

- Department C

only requires sender E to recipient F to excempted

and etc.

Is your business pushing you to have these high complexity exception rules or have you tried to build these yourself ?

As the exception rules grow over time, they will most definately cause an overhead if not an outage (if you continaually add more and more exeptions to each policy over time), push this back to the business so the owness is on them and not you for any outages.

The length of time it takes for a given policy to load is dictated by the number of rows generated for what is called the “execution matrix” which is what is loaded into memory as a representation of the policy/ruleset and is designed to optimize detection performance.

The execution matrix has a sort of Achilles heel when it comes to exception rules which is best summed up the the simple formula below…

num of rows = (number of matching rules) * (number of rules in excep1) * (num of rules in except2) * ... * (num of rules in exception n)

The number of “normal” rules adds very little overhead to the numer of rows in the matrix, but when it comes to exception rules the number of rows can grow exponentially if each of the exception rules has more than one statement.

A simple example would be a policy that had 10 normal rules and 5 exception rules each with 4 statements. The math would be 10 * 4 * 4 * 4 * 4 *4 = 10240 rows.

When they get too big, the filereader process may fail to load in an appropriate time adding a massive overhead onto mail throughput, essentionally marking each EMP node of the load balancer as down reducing the EMP footprint for available processing servers.

You may need to consolidate the number of exception senders so that multiple departments have access to the same mailbox/smtp sender address.

Unfortunately it is difficult to optimize them except with an impact on your current exceptions. You may try to use sender/recipient patterns (if not already done) as it may better manage list of email addresses, check if you can combine some exceptions into one,....

Usually when i start to have too complex exception as you have, i externalize exception management by adding a custom plugin which will check each time if DLP incident match one of my exception and then if yes, i set a specific custom attribute. So i am able to use this to remove it from normal incident processing. This also means you are able to use custom attribute values in your exception (like end user department, country,....) which may not be available by using exception in DLP policies. And one point for paranoiac people, you are able to know how many incident were excluded by your exceptions.

Hi Thanks for all the response and yes business is pushing for the list of exception.

One thing can I know the difference between Group Exception and Detection Exception?

Only difference is the conditions available for the exceptions (sender/user/recipient/ip vs content/metadata).